Summary of changes in ISO 13485:2016

Clause 4.1 - General requirements

Updates required:

* Documentation

* Increased regulatory and risk based approach

* Outsourced processes

* Change management

* Validation of software

- Added requirement to document the role(s) of the organization.

- Requires the determination of processes taking into account the roles undertaken by the organization.

- Requires the application of a risk based approach to the control of the appropriate processes needed for the quality management system.

- Adds requirements related to changes to processes.

- Added requirements related to validation of the application of computer software used in the quality management system.

Clause 4.2 - Documentation requirements

Updates required:

* Clauses 6, 7 and 8

* Medical device file

* Controls related to document and record amendment, security and integrity

- Includes control of records within the document control requirements.

- Lists the documents that would be included in the medical device file.

- New requirement related to protection of confidential health information.

- New requirement related to deterioration and loss of documents.

Clause 5 - Management Responsibility

* Increased focus on regulatory requirements

* Documented procedures for management review and documented planned intervals


- Includes requirement for the documentation of one or more procedures for management review and the requirement for management reviews at documented planned intervals.

- Lists of inputs and outputs of management review have been expanded.

Clause 6.2 - Human resources

Updates required:

* Documented processes for competence, awareness and training

* Risk based training effectiveness

- New requirement for documentation processes of establishing competence, providing needed training and ensuring awareness of personnel.

Clause 6.3 - Infrastructure

Updates required:

* Processes for preventing product mix-up

* Information systems infrastructure

* Maintenance intervals for production or monitoring equipment

- Adds requirement that infrastructure prevents product mix-up and ensure orderly handling of product.

- Adds information system to the listing of supporting services.

Clause 6.4 Work environment

Updates required:

* Documentation requirements for work environment

* Contamination controls for sterile medical devices

- Added documentation requirements for work environment.

- Added requirement related to control of contamination with microorganism or particulate matter for sterile medical devices.

Clause 7.1 - Planning of product realization

Updates required:

* Processes for risk management

* Requirements for storage, handling, distribution and traceability

- Added requirements to list.

Clause 7.2 - Customer related processes

Updates required:

* Requirement and availability for any user training

* Documented processes for communicating with stakeholders, including regulatory authorities

- Added requirements to list.

- New requirement related to communication with regulatory authorities.

Clause 7.3 - Design and development

Updates required:

* Traceability of design inputs to outputs

* Required resources, including competence of personnel involved in design projects

* Additional details and documentation for verification and validation plans, including statistical techniques, sampling rationale and representative product and records

* Documented procedures for design transfer and design change

* Design and development files


- Added requirements to list.

- Eliminated the requirement related to the management of the interfaces between different groups involved in design and development.


- Added requirements to list.

- Added requirement that the requirements shall be able to be verified or validated.


- Added details of the contents of records.


- Added requirement for documentation of verification plans and interface considerations.

- Requirement added for records of verification.


- Added requirement for documentation of validation plans, product to be used for validation and interface considerations. Requirement added for records of validation.


- New sub-clause added.


- Adds the requirement that the evaluation of the change effect should be made on products in process and on the outputs of risk management and product realization processes.

- Added detail to consider in the determination of the significance of a design and development changes.


- New sub-clause added.

Clause 7.4 - Purchasing

Updates required:

* Increased focus on supplier monitoring and risk

* Documented agreements for prior notification of changes to supplied product

* Linkage between verification of purchased product and change control


- Focuses the supplier selection criteria on the effect of the supplier performance on the quality of the medical device, the risk associated with the medical device, and the product meeting applicable regulatory requirements.

- New requirements added related to monitoring and re-evaluation of suppliers, and action to be taken when purchasing requirements are not met.

- Provides addition details related to the content of the records.


- New requirement added to include notification of changes in purchased product.


- New requirements added on the extent of verification activities and action to be taken when the organization becomes aware of any changes to the purchased product.

Clause 7.5 - Production and service provision

Updates required:

* Qualification of infrastructure

* Analysis of service records

* Documented procedures for validation including statistical techniques, sampling rationale, revalidation

* Validation requirements for processes that cannot or are not subsequently monitored

* Procedures for risk based software validation

* Documented procedure for product identification/status during production; this may be Unique Device Identification (UDI)

* Validation of sterile barrier systems

* Suitability of packaging systems

* Recording of measuring equipment adjustments


- Adds details related to the controls for carrying out production and service provision.


- Added a requirement to the list.


- New requirement for analysis of records for servicing activities.


- Added requirements to the list.

- Adds details related to situations requiring procedures.

- Relates the specific approach to software validation to the risk associated with the use of the software.

- Adds requirements related to the validation records.


- Added requirements for sterile barrier systems.


- Added requirement for unique device identification.

- New requirement for a documented procedure for product identification and regarding identification and product status during production.


- Adds details as to how preservation can be accomplished.

Clause 8.2 - Monitoring and measuring

Updates required:

* Linkages from customer feedback into risk management

* Documented processes for ascertaining whether customer requirements have been met

* Procedures for complaint handling

* Processes for informing third parties of complaints

* Plans for internal audits at defined intervals

* Processes for the identification of test equipment


- Indicates that feedback should come from production and post-production activities.

- Adds a requirement to utilize feedback in risk management processes in order to monitor and maintain product requirements.


- New sub-clause.


- New sub-clause.


- Adds requirement to identify the test equipment used to perform measurement activities.

Clause 8.3 - Control of non-conforming product

Updates required:

* Processes for communication with external parties regarding non-conforming product

* Controls for managing concessions

* Linkages between rework and regulatory requirements

- Added details related to kinds of controls that shall be documented.

- Generalized the requirement to include any investigation and the rationale for decisions.

- Adds requirements related to concessions.

- Separated requirements for nonconformities detected before delivery, detected after delivery and rework.

- Adds requirements for records related to the issuance of advisory notices.

Clause 8.4 - Analysis of data

Updates required:

* Sources of data for analysis, such as service records and audits

* Procedures that cover the application of statistical techniques

* Linkages between the analysis and improvement processes

- Adds the requirement to include determination of appropriate methods, including statistical techniques and the extent of their use.

- Adds detail to list of inputs.

Clause 8.5 - Improvement

Updates required:

* Actions are taken without undue delay

* Evaluation of actions for adverse effects on regulatory requirements and product safety and performance


- Adds the requirement to verify that the corrective action does not have an adverse effect.

- Added requirement for corrective action to be taken without undue delay.


- Adds the requirement to verify that the preventive action does not have an adverse effect.